Hey all,
I have a weird issue trying to configure SAML with Azure AD. I’ve set up metadata_url and according to the logs it’s pulling it just fine. However I’m getting an error with the Base64Utility.Decode() function, which makes it seem like it’s not parsing the cert correctly from the metadata. I’ll post the metadata sample from Azure below. Is there any way to manually insert the cert content to the config? Or am I missing something… thanks!
$ is a placeholder, the URLs and roles are configured properly
SAML config:
saml_auth_domain:
http_enabled: true
order: 0
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: https://login.microsoftonline.com/$
entity_id: https://sts.windows.net/$
sp:
entity_id: kibana-saml
roles_key: $
kibana_url: https://kibana.$.com
exchange_key: JZtoofdsatgreastgresg.........
authentication_backend:
type: noop
Metadata:
https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml
Error when trying to push config:
[2019-08-12T23:45:15,227][INFO ][o.o.s.m.r.i.AbstractReloadingMetadataResolver] [server] Metadata Resolver SamlHTTPMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_17: New metadata successfully loaded for 'https://login.microsoftonline.com/$/federationmetadata/2007-06/federationmetadata.xml?appid=$'
[2019-08-12T23:45:15,227][INFO ][o.o.s.m.r.i.AbstractReloadingMetadataResolver] [server] Metadata Resolver SamlHTTPMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_17: Next refresh cycle for metadata provider 'https://login.microsoftonline.com/$/federationmetadata/2007-06/federationmetadata.xml?appid=$' will occur on '2019-08-13T06:45:15.077Z' ('2019-08-13T02:45:15.077-04:00' local time)
[2019-08-12T23:45:15,228][ERROR][c.a.d.a.h.s.HTTPSamlAuthenticator] [server] Error creating HTTPSamlAuthenticator: java.lang.SecurityException: org.apache.cxf.common.util.Base64Exception: Runtime exception in Base64Utility.decode() during output. SAML authentication will not work
java.lang.SecurityException: org.apache.cxf.common.util.Base64Exception: Runtime exception in Base64Utility.decode() during output
at org.apache.cxf.rt.security.crypto.CryptoUtils.decodeSequence(CryptoUtils.java:664) ~[cxf-rt-security-3.2.2.jar:3.2.2]
at org.apache.cxf.rs.security.jose.common.JoseUtils.decode(JoseUtils.java:117) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
at org.apache.cxf.rs.security.jose.jws.JwsUtils.getSignatureProvider(JwsUtils.java:103) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
at org.apache.cxf.rs.security.jose.jws.JwsUtils.getSignatureProvider(JwsUtils.java:91) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.<init>(AuthTokenProcessorHandler.java:120) ~[opendistro_security_advanced_modules-1.1.0.0.jar:1.1.0.0]
at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.<init>(HTTPSamlAuthenticator.java:118) [opendistro_security_advanced_modules-1.1.0.0.jar:1.1.0.0]
at jdk.internal.reflect.GeneratedConstructorAccessor85.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at com.amazon.opendistroforelasticsearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:259) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:334) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:251) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.<init>(DynamicConfigModelV7.java:60) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:165) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:308) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:297) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:280) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:126) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:58) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at org.elasticsearch.action.support.nodes.TransportNodesAction.nodeOperation(TransportNodesAction.java:129) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:246) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:242) [elasticsearch-7.1.1.jar:7.1.1]
at com.amazon.opendistro.elasticsearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:43) [opendistro_performance_analyzer-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLRequestHandler.messageReceivedDecorate(OpenDistroSecuritySSLRequestHandler.java:164) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.transport.OpenDistroSecurityRequestHandler.messageReceivedDecorate(OpenDistroSecurityRequestHandler.java:163) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLRequestHandler.messageReceived(OpenDistroSecuritySSLRequestHandler.java:86) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin$7$1.messageReceived(OpenDistroSecurityPlugin.java:623) [opendistro_security-1.1.0.0.jar:1.1.0.0]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:63) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.transport.TransportService$7.doRun(TransportService.java:693) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:751) [elasticsearch-7.1.1.jar:7.1.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.1.1.jar:7.1.1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:835) [?:?]
Caused by: org.apache.cxf.common.util.Base64Exception: Runtime exception in Base64Utility.decode() during output
at org.apache.cxf.common.util.Base64Utility.decode(Base64Utility.java:202) ~[cxf-core-3.2.2.jar:3.2.2]
at org.apache.cxf.common.util.Base64UrlUtility.decode(Base64UrlUtility.java:41) ~[cxf-core-3.2.2.jar:3.2.2]
at org.apache.cxf.rt.security.crypto.CryptoUtils.decodeSequence(CryptoUtils.java:662) ~[cxf-rt-security-3.2.2.jar:3.2.2]
... 34 more
Any help would really be appreciated. Let me know if you need more information.